Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Count one column, sum another, display average on a third then display group by columns

benj851
Explorer
‎10-19-2020 08:23 AM

Hello; 

I'm a bit stuck and looking for assistance. 

Base query returns the following values: Brand SystemId ResponseStatus Amount UniqueIdentifier

I would like to perform work to make the query return stats on top of it:
1. Count the UniqueIdentifier in a new column.
2. Sum the Amount grouping by Brand SystemId ResponseStatus
3. Percent of Total Sum(Amount) by Brand SystemId ResponseStatus
4. Percent of Total count(UniqueIdentifier) by Brand SystemId ResponseStatus

Then I would like the final result to appear like: 

1.2.3.4, then Brand SystemId ResponseStatus --> to demonstrate the groupings. 

 

In splunk I know I can perform counts, and sum, using a grouping, then sum(counts) by, and create averages. What I can't determine is how to line them all together in a single resultset.  Further, if I try to do stats on multiple columns and set it to a new column, it won't accept it (or doing it wrong)

 

I would appreciate any pointers. 

Labels (6)
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2020 10:11 AM 
| makeresults | eval events="V 	System1	Good	34.93	UniqueID1
A	System2	Good	11.94	UniqueID2
V 	System3	Good	6.06	UniqueID3
V 	System2	Bad	13.44	UniqueID4
A	System2	Good	11.94	UniqueID5
V 	System3	Good	6.06	UniqueID6
M	System3	Good	1	UniqueId7"
| rex field=events max_match=0 "(?<events>[^\r\n]+)"
| mvexpand events
| rex field=events max_match=0 "(?<Brand>\S+)\s+(?<SystemId>\S+)\s+(?<ResponseStatus>\S+)\s+(?<Amount>\S+)\s+(?<TRI>\S+)"
| stats count sum(Amount) as Amount by Brand SystemId ResponseStatus
| eventstats sum(Amount) as TotalAmount sum(count) as Total
| eval PercentAmount=100*Amount/TotalAmount
| eval PercentCount=100*count/Total
| fields count, Amount, PercentAmount, PercentCount, Brand, SystemId, ResponseStatus

View solution in original post

Reply
Solved! Jump to solution

benj851
Explorer
‎10-19-2020 09:49 AM
TypeSystemIdResponseStatusApprovedAmountTRI
System1Good34.93UniqueID1
ASystem2Good11.94UniqueID2
System3Good6.06UniqueID3
System2Bad13.44UniqueID4
ASystem2Good11.94UniqueID5
System3Good6.06UniqueID6
MSystem3Good1UniqueId7
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2020 10:11 AM 
| makeresults | eval events="V 	System1	Good	34.93	UniqueID1
A	System2	Good	11.94	UniqueID2
V 	System3	Good	6.06	UniqueID3
V 	System2	Bad	13.44	UniqueID4
A	System2	Good	11.94	UniqueID5
V 	System3	Good	6.06	UniqueID6
M	System3	Good	1	UniqueId7"
| rex field=events max_match=0 "(?<events>[^\r\n]+)"
| mvexpand events
| rex field=events max_match=0 "(?<Brand>\S+)\s+(?<SystemId>\S+)\s+(?<ResponseStatus>\S+)\s+(?<Amount>\S+)\s+(?<TRI>\S+)"
| stats count sum(Amount) as Amount by Brand SystemId ResponseStatus
| eventstats sum(Amount) as TotalAmount sum(count) as Total
| eval PercentAmount=100*Amount/TotalAmount
| eval PercentCount=100*count/Total
| fields count, Amount, PercentAmount, PercentCount, Brand, SystemId, ResponseStatus
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2020 09:20 AM 
-- base query
| stats count sum(Amount) as Amount by Brand SystemId ResponseStatus
| eventstats sum(Amount) as TotalAmount sum(count) as Total
| eval PercentAmount=100*Amount/TotalAmount
| eval PercentCount=100*count/Total
| fields count, Amount, PercentAmount, PercentCount, Brand, SystemId, ResponseStatus
0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-19-2020 09:14 AM

Can you provide some sample data that could be returned by your basic query and how that might translate into your final result?

Is 1 a count of uniqueids grouping by Brand SystemId ResponseStatus as well?

Does each event have a unique identifier? (That may sound obvious but needs confirming.)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...